ToolShell: Multi-stage exploit chain of SharePoint vulnerabilities

Product
Solutions
Resources
Company

Schedule a demo

Campaign of the month

Learn about the latest cyber attacks and vulnerabilities in our monthly Campaigns.

Dissecting ToolShell: Multi-stage exploit chain targeting Microsoft SharePoint

Microsoft recently faced critical vulnerabilities in on-premises SharePoint servers that have been actively exploited in the wild.

To mitigate these threats, Microsoft issued customer guidance and released security updates for CVE-2025-53770 and CVE-2025-53771, covering all supported SharePoint versions.

In this month’s campaign, we’re dissecting this multi-stage exploit chain, known as the ToolShell campaign.

Let’s dig in.

Overview of the SharePoint Vulnerabilities (aka ToolShell)

In mid-2025, researchers and threat actors identified a set of vulnerabilities, known as the ToolShell campaign, potentially impacting thousands of organizations.

This led to the disclosure of CVE-2025-53770 and CVE-2025-53771, enabling remote code execution and the leak of cryptographic keys in on-premises SharePoint servers.

visualizing the toolshell exploitation flow in microsoft sharepoint through a step-by-step flow diagram

According to Microsoft Security Response Center (MSRC), these vulnerabilities apply to on-prem SharePoint Servers only, while SharePoint Online in Microsoft 365 is unaffected. The affected on-premises versions of Microsoft SharePoint Server are:

Microsoft SharePoint Server Subscription Edition (before KB5002768)

Microsoft SharePoint Server 2019 (before KB5002754)

Microsoft SharePoint Server 2016 (before KB5002760)

Older unsupported versions like SharePoint 2013 (not expected to receive patches)

The ToolShell attacks have been attributed to Chinese state-backed threat groups, such as Linen Typhoon and Violet Typhoon, known for espionage and intellectual property theft.

Recent reports also show that ransomware gangs, including Storm-2603, have joined the campaign, deploying Warlock ransomware through the SharePoint vulnerability chain.

storm-2603 flow of the toolshell exploitation

What you’ll learn in this spotlight

This campaign breaks down the entire exploitation flow and highlights how easily misconfigured or unpatched SharePoint servers can become an open door into the enterprise network.

Access the full spotlight above to learn:

The detailed discovery and exploitation timeline for the two SharePoint vulnerabilities (CVE-2025-53770 and CVE-2025-53771) linked to the ToolShell campaign.

The ToolShell exploitation flow from initial authentication bypass to persistent access.

How to successfully mitigate exploitation attempts of the SharePoint vulnerabilities.

Past campaigns

Exploring CVE-2025-8088: How WinRAR became vulnerable to path traversal

On July 18th, 2025, ESET researchers publicly disclosed the CVE-2025-8088 vulnerability. Although WinRAR’s response was swift with the release of a patch (version 7.13) on July 30, 2025 the window between disclosure and patch availability was long enough for adversaries to weaponize the flaw and conduct successful intrusions. This campaign explores in depth how CVE-2025-8088 […]

Exploring real-world MSI™ Afterburner RTCore driver exploitation

Threat actors are increasingly exploiting legitimate signed software to gain elevated privileges and bypass system defenses. In this month’s campaign, we will explore the RTCore driver (RTCore64.sys) from MSI™ Afterburner, used for overclocking graphics cards, and how, when running in kernel mode, it can provide low-level access to hardware. Overview of the RTCore driver exploitation […]

BYOVD attack: Paragon vulnerabilities in BioNTdrv.sys driver lead to local privilege escalation

In this month’s campaign, we’re featuring a spotlight on a BYOVD attack enabled by Paragon vulnerabilities in the BioNTdrv.sys driver. The Paragon driver BioNTdrv.sys is a kernel-mode driver that is primarily associated with Paragon’s Hard Disk Manager. Let’s take a closer look. The BioNTdrv.sys driver is used in operations such as: Paragon Hard Disk Manager […]